|
Description
|
|
Markus Pieton has discovered a weakness and multiple vulnerabilities in LimeSurvey, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct spoofing attacks.
1) Input passed via the "sid" parameter to admin/admin.php (when "action" is set to "activate") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "fixnumbering" parameter to admin/admin.php (when "action" is set to "activate" and "sid" is set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
3) Input passed via the "lang" parameter to admin/admin.php (when "action" is set to "previewquestion" and "sid" and "qid" are set) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of vulnerabilities #1, #2, and #3 requires "Create survey" permissions.
4) Input passed via the "redirect" parameter to index.php (when "move" is set to "clearall" and "lang" and "sid" are set) is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
The weakness and the vulnerabilities are confirmed in version 1.92+ Build 120822. Other versions may also be affected.
|
